Wyo. Code R. 038-0002-5
Online Sports Wagering
Chapter 5: Technical Standards
Effective Date: 10/05/2021 to Current
Rule Type: Current Rules & Regulations
Reference Number: 038.0002.5.10052021
(a) A sports wagering operator shall use a sports wagering system to offer, conduct, or operate online sports wagering in accordance with applicable laws and these rules. Only a sports wagering operator or its sports wagering vendor may process, accept, offer, or solicit online sports wagers. If a sports wagering operator does not utilize a sports wagering vendor and, instead, develops its own sports wagering system, the sports wagering operator is considered both a sports wagering operator and a sports wagering vendor for the purposes of this chapter.
(b) Sports wagering operators and sports wagering vendors must comply with, and the Commission adopts and incorporates by reference, the Gaming Laboratories International Standard Series, GLI-33: Standards for Event Wagering Systems, Version 1.1, and its appendices, May 14, 2019 Revision Date. The GLI-33 standards are intended to supplement rather than supplant other technical standards and requirements under these rules.
(c) A sports wagering system for use to conduct online sports wagering must meet the specifications set forth in these rules or other technical specifications as prescribed by the Commission. Failure to comply with the approved specifications, internal controls, or technical specifications may result in disciplinary action by the Commission.
(a) Prior to conducting online sports wagering, and annually thereafter, the sports wagering system used in conjunction with the sports wagering operation shall be submitted to a nationally recognized, independent gaming laboratory approved by the Commission for certification testing. Certification and Commission approval must be received prior to the use of any sports wagering system to conduct online sports wagering.
(b) If the sports wagering system meets or exceeds the specifications set forth in these rules or other technical specifications as prescribed by the Commission, the independent gaming laboratory approved by the Commission shall certify the sports wagering system. Sports wagering operators and sports wagering vendors are prohibited from offering online sports wagering in Wyoming without such certification. The sports wagering vendor is responsible for all costs associated with testing and obtaining such certifications.
(c) The sports wagering operator and its sports wagering vendor must submit change control processes to the Commission for approval which detail evaluation procedures for identifying the criticality of updates and determining the updates that must be submitted to a Commission approved independent gaming laboratory for review and certification. These processes must be:
(i) Developed in accordance with, the Gaming Laboratories International, Change Management Program Guide, Version 1.0, Published May 6, 2020, which the Commission adopts and incorporates by reference; and
(ii) Certified prior to its deployment and audited at an annual interval by the independent gaming laboratory.
(d) At least once annually, each product operating under the certified change control processes must be fully certified to the specifications set forth in these rules or other technical specifications as prescribed by the Commission and accompanied by formal certification documentation from the independent gaming laboratory. The sports wagering operator and sports wagering vendor where separate shall be allowed to seek approval for extension beyond the annual approval if hardship can be demonstrated. Granting of a hardship waiver is the sole discretion of the Commission.
(a) All online sports wagering transactions must be initiated and received or otherwise made by a patron located in the authorized geographic boundaries within Wyoming. The authorized geographic boundaries shall exclude Indian Lands located in Wyoming. For purposes of these rules, the intermediate routing of electronic data in connection with online sports wagering, including routing across state lines, does not determine the location or locations in which the online sports wager is initiated, received, or otherwise made.
(b) The sports wagering vendor must utilize a geolocation system to reasonably detect the physical location of an individual or patron attempting to access the sports wagering system and place an online sports wager and to monitor and block unauthorized attempts to place an online sports wager when an individual or patron is not within the authorized geographic boundaries.
(c) The Commission shall approve technical specifications for geolocation systems and any specific requirements related to geolocation and may also issue such requirements in the form of Commission Directives.
Unless otherwise approved by the Commission in writing, a sports wagering operator and its sports wagering vendor must place its primary server or other equipment responsible for the acceptance of patron wagers in secure locations in this state. The Commission may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of a sports wagering operator or sports wagering vendor.
(a) Each sports wagering operator or sports wagering vendor shall, within ninety (90) days after commencing operations in Wyoming, and annually thereafter, have an integrity and security assessment of the sports wagering system conducted by an independent professional selected by the sports wagering operator or sports wagering vendor and subject to approval of the Commission.
(b) The scope of the sports wagering system integrity and security assessment is subject to approval of the Commission and must include, at a minimum, all of the following:
(i) A vulnerability assessment of digital platforms, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering systems, and applications transferring, storing, and/or processing personal identifying information (PII) and/or other sensitive information connected to or present on the networks;
(ii) A penetration test of all digital platforms, mobile applications, internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, the sports wagering systems, and applications are susceptible to compromise;
(iii) A review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all of the perimeter firewalls and the internal firewalls;
(iv) A technical security control assessment against the provisions adopted in Appendix B of GLI-33 and these rules with generally accepted professional standards and as approved by the Commission;
(v) An evaluation of information security services, cloud services, payment services (financial institutions, payment processors, etc.), location services, and any other services which may be offered directly by the permittee or involve the use of third parties; and
(vi) Any other specific criteria or standards for the sports wagering system integrity and security assessment as prescribed by the Commission.
(c) The full independent professional's report on the assessment must be submitted to the Commission no later than thirty (30) days after the assessment is conducted and must include all the following:
(i) Scope of review;
(ii) Name and company affiliation of the individual or individuals who conducted the assessment;
(iii) Date of assessment;
(iv) Findings;
(v) Recommended corrective action, if applicable; and
(vi) Sports wagering operator's or sports wagering vendor's response to the findings and recommended corrective action.
(d) Where approved by the Commission, it is acceptable to leverage the results of prior assessments within the past year conducted by the same independent professional against standards such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, the NIST Cybersecurity Framework (CSF), the Payment Card Industry Data Security Standards (PCI-DSS), or equivalent. Such leveraging shall be noted in the independent professional's report. This leveraging does not include critical components unique to the state which will require fresh assessments.
Section 6. Sports Wagering Technical Security Controls. In addition to the technical security controls set out in Appendix B of GLI-33, additional technical security controls may be adopted by the Commission through the issuance of Commission Directives.
Section 7. Information Security Management System (ISMS). Each sports wagering operator or sports wagering vendor shall implement, maintain, regularly review and revise, and comply with a comprehensive ISMS. The purpose of which shall be to take reasonable steps to protect the confidentiality, integrity, and availability of personal identifying information (PII) of individuals who place a wager with the sports wagering operator or sports wagering vendor, and shall contain administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the operations and the sensitivity of the personal information owned, licensed, maintained, handled, or otherwise in the possession of the sports wagering operator or sports wagering vendor. Additional ISMS specifications may be adopted by the Commission through the issuance of Commission Directives.
Section 8. Test Accounts. A sports wagering operator or sports wagering vendor may establish test accounts to be used to test the various components and operation of a sports wagering system pursuant to internal controls adopted by the sports wagering operator or sports wagering vendor, which, at a minimum, must address all of the following:
(a) The procedures for issuing funds used for testing, including the identification of who may issue the funds and the maximum amount of funds that may be issued;
(b) The procedures for assigning each test account for use by only one (1) individual. However, a sport wagering operator may establish a specific scenario or instance of a test account that may be shared by multiple users if each user's activities are separately logged;
(c) The maintenance of a record for all test accounts, to include when they are active, to whom they are issued, and the employer of the individual to whom they are issued;
(d) The procedures for auditing testing activity by the sports wagering operator or sports wagering vendor to ensure the accountability of funds used for testing and proper adjustments to online sports wagering revenue; and (e) The procedures for authorizing and auditing out-of-state test activity.
(a) The Commission hereby incorporates by reference the following gaming standards:
(i) The Gaming Laboratories International Standard Series, GLI-33: Standards for Event Wagering Systems, Version 1.1, and its appendices, May 14, 2019 Revision Date, which can be found electronically at http://gaming.wyo.gov;
(ii) The Gaming Laboratories International, Change Management Program Guide, Version 1.0, Published May 6, 2020, which can be found electronically at http://gaming.wyo.gov;
(b) For these standards incorporated by reference:
(i) The Commission has determined that incorporation of the full text in these standards would be cumbersome or inefficient given the length or nature of the rules;
(ii) The incorporation by reference does not include any later amendments or editions of the incorporated matter beyond the applicable date identified in subsections (a)(i)-(ii) of this section; and
(iii) The incorporated standards are maintained at the Wyoming Gaming Commission's office, 951 Werner Court, Suite 335, Casper, Wyoming and are available for inspection and copying, at no cost to the public, at the same location.